Secure Infrastructure Deployment with Ansible Vault

Objective

The goal of this Task is to securely store, manage, and automate the distribution of sensitive credentials using Ansible Vault. The project will integrate Ansible Vault into a CI/CD pipeline with Jenkins, GitHub, AWS Secrets Manager, and Terraform for end-to-end automation.

Technology Stack

Configuration Management: Ansible
Secrets Management: Ansible Vault, AWS Secrets Manager
CI/CD: Jenkins, GitHub Actions
Infrastructure as Code (IaC): Terraform
Cloud Provider: AWS (EC2, S3, IAM, RDS, EKS)
Version Control: GitHub
Scripting: Shell, Python

High-Level Architecture

Developers store secrets securely in Ansible Vault and commit encrypted files to GitHub.
Jenkins pipeline retrieves the encrypted secrets and decrypts them securely using a Vault password file stored in AWS Secrets Manager.
Ansible Playbooks use these secrets to provision and configure AWS resources securely.
Terraform provisions infrastructure while fetching secrets dynamically from Ansible Vault and AWS Secrets Manager.
CI/CD pipeline deploys applications securely while ensuring secret rotation and compliance.

Implementation Steps

1. Setup Ansible Vault for Encrypting Sensitive Information

Create an Ansible Vault password file:

echo "my_secret_password" > .vault_pass

Encrypt sensitive credentials:

ansible-vault encrypt secrets.yml --vault-password-file .vault_pass

Example secrets.yml before encryption:

db_user: admin
db_password: SuperSecurePassword123
aws_access_key: AKIAXXXXXXX
aws_secret_key: 5y3NtXXXXXXX

2. Store the Vault Password Securely in AWS Secrets Manager

Store the Vault password in AWS Secrets Manager:

aws secretsmanager create-secret --name ansible-vault-password --secret-string "my_secret_password"

3. Automate Vault Password Retrieval in CI/CD

Create a Jenkins job to fetch the Ansible Vault password securely:

pipeline {
    agent any
    environment {
        VAULT_PASSWORD = sh(script: "aws secretsmanager get-secret-value --secret-id ansible-vault-password --query SecretString --output text", returnStdout: true).trim()
    }
    stages {
        stage('Decrypt Secrets') {
            steps {
                sh "echo ${VAULT_PASSWORD} > .vault_pass"
                sh "ansible-vault decrypt secrets.yml --vault-password-file .vault_pass"
            }
        }
        stage('Deploy Infrastructure') {
            steps {
                sh "ansible-playbook -i inventory playbook.yml --vault-password-file .vault_pass"
            }
        }
    }
}

4. Encrypt and Secure Jenkins Credentials

Use Jenkins credentials store to inject secrets dynamically.

5. Automate Infrastructure Provisioning with Terraform and Ansible

Use Terraform to provision infrastructure:

resource "aws_instance" "web" {
    ami           = "ami-12345678"
    instance_type = "t2.micro"
    tags = {
        Name = "SecureWebServer"
    }
}

Integrate Terraform with Ansible Vault to fetch secrets dynamically:

export ANSIBLE_VAULT_PASSWORD=$(aws secretsmanager get-secret-value --secret-id ansible-vault-password --query SecretString --output text)

Run Ansible Playbooks after Terraform provisioning:

ansible-playbook -i inventory playbook.yml --vault-password-file .vault_pass

6. Secure Secret Rotation and Compliance

Automate secret rotation with AWS Lambda and trigger it periodically using AWS CloudWatch.

7. Monitor and Audit Security Logs

Enable AWS CloudTrail and AWS Config to monitor access logs.
Integrate Prometheus + Grafana for real-time monitoring of Ansible deployments.

Expected Outcomes

✅ Secure storage and retrieval of secrets using Ansible Vault & AWS Secrets Manager
✅ Automated CI/CD integration with Jenkins & Terraform
✅ Secure infrastructure provisioning using Ansible & AWS
✅ Continuous monitoring & compliance of secrets using AWS CloudTrail & Grafana

This end-to-end task ensures secrets are protected, infrastructure is provisioned securely, and automation is seamless. 🚀